Backdoor found in ZTE Android phones

Two mobile phones, developed by Chinese telecommunications device manufacturer ZTE, have been found to carry a hidden backdoor, which can be used to instantly gain root access with a password, that has been hard-coded into the software.

Two mobile phones, developed by Chinese telecommunications device manufacturer ZTE, have been found to carry a hidden backdoor, which can be used to instantly gain root access with a password, that has been hard-coded into the software.

Android devices typically ship with the user unable to run commands as the "root user", in order to protect customers from any inadvertent damage they could cause, and to reduce the chance of rogue applications taking complete control of the device. However, following an anonymous post to Pastebin, security researchers have found that ZTE has installed an application on the Score M and the Skate mobile phones, which make rooting these phones simple.

The post said:

There is a setuid-root [set user ID upon execution] application at /system/bin/sync_agent that serves no function besides providing a root shell backdoor on the device. Just give the magic, hard-coded password to get a root shell.

The phone is available in the US and the UK, amongst other markets. While no telco in Australia appears to be selling the Score M or Skate mobile phones outright, it is still possible to purchase it online or through smaller firms. ZTE has offices in Sydney and Melbourne, and is a supplier of a large number of Telstra mobile phones, typically rebranded as Telstra's own T- and F-series mobile phones. Telstra is aware of the issue, and is in the process of testing its devices, to determine if the backdoor exists on them.

"Our preliminary tests suggest that handsets supplied to Telstra are unaffected by this issue. That said, we take device security very seriously, and we are conducting more extensive testing to confirm our initial findings. Should we discover any issues, we will contact customers directly," Telstra said in a statement.

ZTE is also the company behind the Optus-branded MyTab tablet, which runs Android.

ZDNet Australia contacted Optus to comment on whether its devices may be affected, but did not receive a response at the time of writing.

Although Vodafone sells ZTE-branded USB modems, it does not sell any Android devices from ZTE in Australia.

Former McAfee threat research vice president Dmitri Alperovitch is a security researcher that has independently verified the original claim, posting the password to the hidden application on Twitter.

@DmitriCyber @k_sec We have just confirmed this. Password is ztex1609523 in the backdoor

There are also a number of reports from users on Reddit, some who said that there does not appear to be any way of remotely accessing the backdoor. However, other users have pointed out that if the hacker wrote another application to access the backdoor, it would be a trivial matter to first root the device and then take complete control.